Fix classpath security checks for external tests. #33066
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pinging @elastic/es-core-infra |
rjernst
requested changes
Aug 28, 2018
There was a problem hiding this comment.
Thanks for investigating this @mattweber! I think we can make it a bit simpler, as we don't to support some of the cases handled here.
| Path filePath = PathUtils.get(location.toURI()); | ||
| if (Files.isRegularFile(filePath)) { | ||
| String fileName = filePath.getFileName().toString(); | ||
| if (!codebases.containsKey(name) && !codebases.containsKey(fileName)) { |
There was a problem hiding this comment.
We prefer using == false instead of ! as it the first is more obvious when scanning code.
| // if we find the class in a file (jar), make sure that jar is not already in the codebases map | ||
| // this will be the case when using test framework externally | ||
| Path filePath = PathUtils.get(location.toURI()); | ||
| if (Files.isRegularFile(filePath)) { |
There was a problem hiding this comment.
I think we can do this more simply by looking at endsWith(".jar") of the uri string. We don't really need to convert the uri to a path, since we don't need to load the file. Then, the original if statement can simply be wrapped with like:
URL location = clazz.getProtectionDomain().getCodeSource().getLocation();
if (location.toString().endsWith(".jar") == false) {
// original if and exception here
}
Basically, if the file is in a jar, we don't need to worry about it here, as those would have already been added to the codebases map by Security.getCodebaseJarMap. This method is about adding classes that are on the classpath, but not via a jar (ie built by the IDE).
|
Thanks @rjernst! I have made the suggested change. |
|
@elasticmachine ok to test |
rjernst
approved these changes
Aug 29, 2018
|
Great thanks for picking this up @rjernst. Can you please backport to 6x? |
|
Yes, I will backport to 6.x. Can you sync your branch with master? I believe CI is failing because of a recent commit to master that needs to be in sync with current 6.x for bwc tests. |
This commit checks that when we manually add a class to the codebase map, that it does in-fact not exist on the classpath in a jar. This will only be true if we are using the test framework externally such as when a user develops a plugin.
mattweber
force-pushed
the
testing_bootstrap_internal_libs
branch
from
4eec240 to
6c3e945
Compare
|
@rjernst rebased and squashed |
|
Thanks again @mattweber |
rjernst
pushed a commit
that referenced
this pull request
Aug 29, 2018
This commit checks that when we manually add a class to the codebase map, that it does in-fact not exist on the classpath in a jar. This will only be true if we are using the test framework externally such as when a user develops a plugin.
dnhatn
added a commit
that referenced
this pull request
Sep 1, 2018
* 6.x: Mute test watcher usage stats output [Rollup] Fix FullClusterRestart test TEST: Disable soft-deletes in ParentChildTestCase TEST: Disable randomized soft-deletes settings Integrates soft-deletes into Elasticsearch (#33222) drop `index.shard.check_on_startup: fix` (#32279) Fix AwaitsFix issue number Mute SmokeTestWatcherWithSecurityIT testsi [DOCS] Moves ml folder from x-pack/docs to docs (#33248) TEST: mute more SmokeTestWatcherWithSecurityIT tests [DOCS] Move rollup APIs to docs (#31450) [DOCS] Rename X-Pack Commands section (#33005) Fixes SecurityIntegTestCase so it always adds at least one alias (#33296) TESTS: Fix Random Fail in MockTcpTransportTests (#33061) (#33307) MINOR: Remove Dead Code from PathTrie (#33280) (#33306) Fix pom for build-tools (#33300) Lazy evaluate java9home (#33301) SQL: test coverage for JdbcResultSet (#32813) Work around to be able to generate eclipse projects (#33295) Different handling for security specific errors in the CLI. Fix for #33230 (#33255) [ML] Refactor delimited file structure detection (#33233) SQL: Support multi-index format as table identifier (#33278) Enable forbiddenapis server java9 (#33245) [MUTE] SmokeTestWatcherWithSecurityIT flaky tests Add region ISO code to GeoIP Ingest plugin (#31669) (#33276) Don't be strict for 6.x Update serialization versions for custom IndexMetaData backport Replace IndexMetaData.Custom with Map-based custom metadata (#32749) Painless: Fix Bindings Bug (#33274) SQL: prevent duplicate generation for repeated aggs (#33252) TEST: Mute testMonitorClusterHealth Fix serialization of empty field capabilities response (#33263) Fix nested _source retrieval with includes/excludes (#33180) [DOCS] TLS file resources are reloadable (#33258) Watcher: Ensure TriggerEngine start replaces existing watches (#33157) Ignore module-info in jar hell checks (#33011) Fix docs build after #33241 [DOC] Repository GCS ADC not supported (#33238) Upgrade to latest Gradle 4.10 (#32801) Fix/30904 cluster formation part2 (#32877) Move file-based discovery to core (#33241) HLRC: add client side RefreshPolicy (#33209) [Kerberos] Add unsupported languages for tests (#33253) Watcher: Reload properly on remote shard change (#33167) Fix classpath security checks for external tests. (#33066) [Rollup] Only allow aggregating on multiples of configured interval (#32052) Added deprecation warning for rescore in scroll queries (#33070) Apply settings filter to get cluster settings API (#33247) [Rollup] Re-factor Rollup Indexer into a generic indexer for re-usability (#32743) HLRC: create base timed request class (#33216) HLRC: Use Optional in validation logic (#33104) Painless: Add Bindings (#33042)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit checks that when we manually add a class to
the codebase map, that it does in-fact not exist on the classpath
in a jar. This will only be true if we are using the test framework
externally such as when a user develops a plugin.
This check is only needed when running tests via an IDE such as IntelliJ.
Closes #33045